RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,564 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

5564 Commits

Author SHA1 Message Date
Chris PeBenito e01cd6c98b
Merge pull request #201 from cgzones/rebuild-if-db 
Makefile: add target rebuild-interface-db
 2020-06-03 13:15:01 -04:00
Christian Göttsche b4180614b6 apache: quote gen_tunable name argument 
Match the style of tunable_policy and gen_tunable statements in userdomain

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-06-02 20:35:30 +02:00
Christian Göttsche dcb01ec4cc devices/storage: quote arguments to tunable_policy 
Match the overall style and please sepolgen-ifgen

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-06-02 20:35:30 +02:00
Christian Göttsche a3811f4eb4 Makefile: add target build-interface-db 
Build the policy interface database with 'sepolgen-ifgen'.
This database is required for reference style policy generation by
'audit2allow --reference'

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-06-02 20:35:30 +02:00
Chris PeBenito c950ada4ea openvpn: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-06-02 13:35:57 -04:00
Chris PeBenito ec8b8c5b2a Merge pull request #268 from McSim85/master 2020-06-02 13:18:02 -04:00
McSim85 95c43ef3a4 add rule for the management socket file 
fixed comments from  @bauen1

Signed-off-by: McSim85 <maxim@kramarenko.pro>
 2020-06-02 13:58:46 +03:00
Chris PeBenito b38804e328 init, logging: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-27 11:36:44 -04:00
Chris PeBenito fe0a8d2542 Merge pull request #261 from bauen1/confined-debian-fixes 2020-05-27 11:35:49 -04:00
bauen1 be231899f5
init: replace call to init_domtrans_script 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-27 17:09:06 +02:00
Chris PeBenito c75b2f3642 corecommands, files, filesystem, init, systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-27 10:52:49 -04:00
Chris PeBenito d8da662d5e Merge pull request #262 from bauen1/misc-fixes-1 2020-05-27 10:52:07 -04:00
Chris PeBenito 382c5f7c09 domain, setrans: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-27 10:46:47 -04:00
Chris PeBenito 5374e1ac16 Merge pull request #264 from bauen1/reenable-setrans 2020-05-27 10:46:08 -04:00
bauen1 b184f71bed
init: fix init_manage_pid_symlinks to grant more than just create permissions 
This was introduced in 4e842fe209 by me.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-27 14:23:18 +02:00
bauen1 ab2c353048
systemd: allow systemd-user-runtime-dir to do its job 
It requires access to /run/user/UID while running as root

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-27 14:03:05 +02:00
bauen1 7eae84a8b4
lvm-activation-generator also needs to execute lvm 
lvm will also try to read localization.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-27 14:03:05 +02:00
bauen1 ee323d3b9a
filesystem: pathcon for matching tracefs mount 
Prevent restorecon from trying to relabel /sys/fs/tracing .

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-27 11:51:36 +02:00
bauen1 c9354399f9
corecommands: proper label for unattended-upgrades helpers 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-27 11:51:36 +02:00
bauen1 ef0238d2d5
init: watch /etc/localtime even if it's a symlink 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-27 11:51:36 +02:00
bauen1 70e0d26988
files: add files_watch_etc_symlinks interface 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-27 11:51:36 +02:00
bauen1 9e2e343989
setrans: allow label translation for all domains. 
This partially reverts commit 65da822c1b
Connecting to setransd is still very much necessary for any domain that
uses SELinux labels in any way.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-22 20:53:47 +02:00
bauen1 8784dd0c66
init: allow systemd to activate journald-audit.socket 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-22 20:51:46 +02:00
bauen1 5fb8157616
init: make initrc_t a init_domain to simplify the policy 
This also allows init_t initrc_t:process2 nnp_transition which can be
required if the service isn't targeted.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-22 20:51:39 +02:00
Chris PeBenito 14acb02b90
Merge pull request #259 from cgzones/apache 
apache: use correct content types in apache_manage_all_user_content()
 2020-05-22 14:50:11 -04:00
bauen1 51d76f956f
init: allow systemd to setup mount namespaces 
This is required to boot without the unconfined module.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-22 20:48:13 +02:00
Chris PeBenito 72f7f7bfb1
Merge pull request #263 from cgzones/makefile_suffixes 
Makefile: remove obsolete .SUFFIXES
 2020-05-22 14:22:56 -04:00
Chris PeBenito f60bdf2d1b
Merge pull request #260 from cgzones/can_exec 
can_exec(): move from misc_macros to misc_patterns
 2020-05-22 14:21:20 -04:00
Christian Göttsche 7366235e1e Makefile: remove obsolete .SUFFIXES 
With the removal of fc_sort there are no more .c files in the repository.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-21 11:42:45 +02:00
Christian Göttsche 40a59af329 can_exec(): move from misc_macros to misc_patterns 
The file misc_macros.spt is due heavy usage of the m4 language
hard to parse for third party tools.
Move the macro can_exec() to misc_patterns.spt, which contains
only interface like define blocks.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-15 15:59:13 +02:00
Christian Göttsche 160e2016bb apache: use correct content types in apache_manage_all_user_content() 
The content types are named httpd_user_rw_content_t and
httpd_user_ra_content_t not httpd_user_content_rw_t and
httpd_user_content_ra_t in apache_content_template()

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-15 00:01:02 +02:00
Chris PeBenito 5b171c223a various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-14 10:32:30 -04:00
Chris PeBenito 28bf3cb4fb Merge pull request #258 from bauen1/misc-fixes-1 2020-05-14 10:27:04 -04:00
Chris PeBenito 2ab326ab2d Merge pull request #253 from cgzones/selint 2020-05-14 10:27:00 -04:00
Chris PeBenito d9d94a93fd
Merge pull request #257 from pebenito/drop-py2-compat 
genhomedircon: Drop Python 2 compatibility code.
 2020-05-14 10:22:55 -04:00
bauen1 09c028ead9
dnsmasq: watch for new dns resolvers 
dnsmasq will watch /etc/resolv.conf for any changes to add new dns
servers immediately.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:51 +02:00
bauen1 096b8f59f2
semanage: create directories for new policies 
semodule will try to create a directory under /etc/selinux if the policy
it is modifying doesn't exist (e.g. it is being build for the first time).

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:31 +02:00
bauen1 4f9772e309
systemd-fstab-generator needs to know about all mountpoints 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:30 +02:00
bauen1 da561748d0
corecommands: fix atrild label 
atrild is a daemon shipped by atril, see shell/Makefile.am of
https://github.com/mate-desktop/atril

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:30 +02:00
bauen1 955c5c5253
lvm: create /etc/lvm/archive if it doesn't exist 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:27 +02:00
bauen1 67dfa3651f
init: read default context during boot 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:26 +02:00
bauen1 2b11987003
quota: allow quota to modify /aquota even if immutable 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:26 +02:00
bauen1 0ff1f78619
systemd: allow regular users to run systemd-analyze 
Same deal as with systemd-run this is potentially useful for non
privileged users and especially useful for admins.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:17 +02:00
Chris PeBenito a229fb0e39 genhomedircon: Drop Python 2 compatibility code. 
Python 2 is end-of-life.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-05-13 16:12:53 -04:00
Christian Göttsche 57d570f01c chromium/libraries: move lib_t filecontext to defining module 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-12 20:09:44 +02:00
Christian Göttsche 2884cfe4bc files/miscfiles: move usr_t filecontext to defining module 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-12 20:09:44 +02:00
Christian Göttsche 75b3bcaf3e files/logging: move var_run_t filecontext to defining module 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-12 20:09:44 +02:00
Chris PeBenito e7dad518eb application: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-12 11:24:40 -04:00
Chris PeBenito 5387a29b40 Merge pull request #255 from bauen1/fix-sudo-ssh 2020-05-12 11:24:10 -04:00
bauen1 dd8ed0ba14
application: applications can be executed from ssh without pty 
For example ansible uses `ssh localhost sudo id` to become root.
This doesn't appear to be necessary in redhat due to https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-6.6p1-privsep-selinux.patch

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-12 16:52:59 +02:00